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(54) Title: CRYPTOGRAPHIC APPARATUS AND METHOD FOR A DATA COMMUNICATION NETWORK 



(57) Abstract 



A data transmission network (12) has a plurality of 
computers (14) interconnected by a transmission channel 
(12). The computer communicates with the channel 
through a security device (16) which encrypts and decrypts 
data. The device uses a key packet distributed over the ne- 
twork from which a new key is derived by using the en- 
cryption process within the device. The encryption process 
makes use of a data sequence or "secret" peculiar to each 
domain so that the key generated in the domain is also 
peculiar to that domain. The key is changed as the encryp- 
tion proceeds and upon completion of the data trans- 
mission. Each device periodically generates a new key for 
distribution over the network. 
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CRYPTOGRAPHIC APPARATUS AND METHOD roR 
A DATA COMMUNICATION MPTWopff 

The present invention relates to a method and 
5 apparatus for encrypting and transmitting data. 

It is well-)cnown to transfer data between 
computers or other hosts over data communication 
channels. Such hosts are arranged in networks and allow 
transfer of data between a specific pair of hosts or to 
10 all hosts in the network according to established 
protocols. 

It is often desirable to transmit sensitive 
data on such a network and therefore the network must be 
made secure, for example by limiting access to the hosts. 

15 Alternatively, data may be encrypted prior to transfer so 
that even if access to the network is obtained, any data 
intercepted is not meaningful. 

Various techniques are known for encrypting 
data, many of which require a correlation between an 

2 0 encrypting operation performed on the data as it is 
generated and a decrypting operation performed by the 
recipient. To achieve this correlation, it is usual to 
provide keys that are used in a mathematical operaticrti 
performed on the data. Some techniques, such as public 

25 key systems, utilize different keys at the sender-^ and 

recipient but then require multiple transfers to achieve 

a secure transmission. Such a technique, however, 

reduces the overall data transfer capacity of a network 

and would not be compatible with existing communication protocols. 
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Other techniques utilize an identical but 
secret key at each host in the security domain. This 
permits data to be transferred with a single 
transmission. However, to provide the necessary degree 
5 of security, it is preferable to change the 3cey 

periodically so that a prolonged observation of the 
encrypted data sufficient to yield the key is not 
possible • 

The provision of a new key to each of the hosts 
10 in a domain must be accomplished in a secure manner; 

otherwise, the encrypted data becomes vulnerable. It has 
been proposed to distribute keys manually, i.e. utilxze 
secure couriers to provide a new key to users of the 
network but this is time-consuming, expensive and 
15 provides too long a period between updates. 

An alternative technique is to generate a key 
from a central unit and transmit it over the network. 
This, however, requires the transmission to be secure and 
requires the central unit to be operational at all times. 
20 A failure of the central unit disables the generation of 
new keys and may render the domain vulnerable, y ,T 

It is therefore an object of the present 
invention to provide a method and apparatus for 
encrypting data that is compatible with existing 
25 communication protocols and may be utilized within a 
network environment. 
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It is a further object: to provide a method and 
apparatus for generating keys on a periodic basis for use 
in the network. 

In general terms, the present invention 
5 provides a security device at each host in a security 
domain which uses a key in combination with a specific 
mathematical function to provide an encrypting bit stream 
as data is received • The bit stream is then used in an 
encrypting function to encrypt and decrypt data as it is 

10 received. As the encryption proceeds, the key is 

modified by the mathematical function to generate the 
encrypting bit stream. 

In the preferred embodiment, the mathematical 
function includes a register containing a secure, secret 

15 bit sequence. The key is used to generate an address for 
the register and extract the contents of the register for 
use in the mathematical function. 

To transmit new keys, each device may generate 
a data packet that is used in part as the key and in part 

20 as the data in an encryption process. The resulting 

encrypted data is then used as a new key. Because 1:he 
new key has been generated using a "secret" peculiar to 
the security domain, the key will also be peculiar to 
that domain. In this way, keys may be transmitted 

25 without encryption but still provide distinct 
unpredictable keys in a particular domain. 
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An embodiment of the invention will now be 
described by way of example only with reference to the 
accompany drawings, in which 

Figure 1 is a schematic representation of a 
5 network having a plurality of security domains; 

Figure 2 is a representation of a security 
device used in the network of Figure 1; 

Figure 3 is a schematic representation of the 
operation of the device shown in Figure 2 to encrypt 
10 data ; 

Figure 4 is a schematic representation of the 
format of a packet distributed on the network of Figure 
1; 

Figure 5 is a schematic representation of the 

15 operation of the device shown in Figure 2 using the 

packet of Figure 4; 

Figure 6 is a schematic representation, similar 

to Figure 3, of an alternative embodiment; and 

Figure 7 is a representation of the operation 
20 of the embodiment of Figure 6 similar to Figure 5^^ ^ 

rtTTTTRRAL TJVTWQRK AR RANGEMENT 
Referring to Figure 1, a local area 'network 10 
in Figure 1 comprises a data channel 12 to permit the 
25 transfer of packets of data between a plurality of host 
computers 14, such as a computer or computer terminal, 
individual hosts will be identified with alphabetic 
suffixes, i.e 14a, 14b, etc. Each of the hosts 14 
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requiring a cryptographic facility is connected to the 
data channel 12 through a security device 16 which is 
operable to encrypt data transmitted by a host 14 or 
decrypt data received by the host 14. Those hosts not 
5 requiring encryption, such as, for example, 14g are 
connected directly to the channel 12 . 

Data is transmitted in the channel in frames 
consisting of a preamble of a particular sequence of bits 
followed by a data packet. The packet consists of 

10 destination address (typically 4 8 bits) , a source 

address, the packet length and the information to be 
transmitted. The information will be followed by a 
cyclic redundancy check (CRC) of the data transmitted on 
the channel 12. The format of the packet is described 

15 more fully below with reference to KEY DISTRIBUTION. 

The first bit of the destination address will 
indicate whether the packet is to be broadcast on the 
network or is to be locally directed to a particular 
host. The exchange of data between the host 14 and the 

20 security device 16 and between the device 16 and the 

channel 12 is regulated by a conventional communications 
interface 15 operating on an established protocol as is 
well known in the art and will not be describied further. 
Each of the devices 16 performs a similar 

25 cryptographic operation on the data. However, to divide 
the network' 10 into a plurality of distinct security 
domains 18a, 18b, indicated by chain dot lines, the 
encryption keys used in the devices 16 of each domain 18 
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are different. Thus, encrypted data may be sent between 
hosts 14 of the same domain and will be received by hosts 
of different domains. However, these other hosts will 
not decrypt the data correctly. 

Each of the devices 16 operates in a similar 
manner and therefore its operation in encrypting and 
decrypting data will be described in detail first. 
Thereafter, the interaction of the devices within the 
network will be described. 



TTTF ^l^ryy-o^rnK PROCESS 
Referring to Figure 2, each of the devices 16 
includes an encryption module 20 having a key register 22 
which stores a 128 bit encryption key. At any given 
,5 time, the key is identical in each operable device 16 in 
the same security domain 18. As will be explained, the 
key will be changed periodically within the domain and 
will also change as the encryption proceeds. Because the 
key is Changed periodically, a 32 bit key sequence number 
20 is associated with each key and stored in a register 25. 

The encryption module 20 operates undef^t^e 
control of the interfaces 15 to intercept data flowing 
between the host 14 and data channel 12 to perform an 
encryption process so as to encrypt and decrypt the data 
25 as it passes through the device 16. The device 16 also 
includes a key generator module 33 that is used to change 
periodically the key in the register 22 in a manner to be 
described below. 
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As best seen in Figure 3 , the key stored in 
register 22 is used by each of a pair of parallel 
processing paths in each device 16 indicated as "B" and 
"L". However, only one path will be described in detail, 
5 as the processing is identical in both. 

The bits of register 22 are initially 
transferred into an active register 2 3 where they are 
subdivided into discrete groups to provide 16 8-bit 
addresses, Aq to A^^. Each address A contains an 8-bit 
10 word formed from 8 successive birs of the key in register 
22. 

A 1 X 256 bit register 24 is associated with 
each of the addresses A which together provide a primary 
memory 25. Each register 24 uses a respective one of the 

15 8-bit words from the active register 23 as its read 

address. The 256 bit sequence in each register 24 in the 
primary memory 25 is maintained secret prior to and after 
installation. In general, the sequence in a register 24 
is different to any other bit sequence in the other 

20 registers 24 of the same primary memory 25. In 

particular,, the bit sequence in the register 2 4 -in^path B 
associated with address A^ will, in general, be different 
to the corresponding register 24 in path L. However, the 
bit sequence in corresponding registers 2 4 in different 

25 devices 16 in the same domain 18 will be the same. Thus, 
the bit sequence in register 24 in path 3 associated with 
address Ap in device 16a will be identical to the bit 
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■ ^..Ti^ter 24 in path B associated with address 
sequence m register --^^ y 

Aq in devices 16c, 16d, 

Each register _24 outputs a single bit contained 
at the address corresponding to the bit sequence in the 
5 associated address A so that a total of 16 bits are 

outputted by registers 24 of primary memory 25. The 16 
.its are grouped into two 8-bit words and each is used as 

^r.r- a respective 1 x 256 bit register 26 
the address for a respei-^-^ 

^r,--™ a secondary memory 29. The bit 
which together form a seconuai.jf 

>, r,^ th» registers 26 in the same device 
10 sequence m each of tne regx:= 

is in general different and secret. However, it is 
identical to the corresponding register 26 in the 

^r. all other devices 16 of the same 
secondary memory 29 in all oizner a 

domain 18 . 

15 Each of the registers 26 outputs a single bit 

indicated as P,Q corresponding to the address designated 
by the 8-bit word. X pair of PS bits is similarly 
generated from the parallel processing path L and each 
pair Of bits is applied to a switch 27 which selects one 
20 of the pair of P.Q bits. If the destination address 

indicates that the packet is to be broadcast, thev'oAput 
of path B is selected, and conversely a local destination 
address ensures that path L is selected. The bits 
selected by switch 27 are applied to an exclusive OR 
25 function 28 which generates a single output bit 

identified as FEK and used to encrypt incoming data. 

The FEK bit is applied as one input to an 
exclusive OP (XOR) function 30. . bit ot the data strea. 
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received at the device 16 from associated hosr 14 ro be 
encrypted is applied to the other input of XOR function 
3 0 so that the output is encrypted data that is the 
product of the exclusive OR function of the FEK bit and 
5 the data. The encrypted bit is then transmitted from the 
device 16 to the channel 12. 

The selected P and Q bits are also applied to a 
2x4 truth table 32. Table 32 produces a different 4- 
bit output for each combination of P and Q. Thus, if P 

10 and Q are both 0, the 4-bit output may be 1010, whereas 
if P is 1 and Q is 0, the output may be 0110. It is 
preferred that output combinations having two l*s and two 
O's are used. 

The output of table 32 is replicated 4 times 

15 and distributed through a 128-bit sequence that is stored 
in an adder 34. Adder 34 is used to increment the active 
■ register 23 so that each 8-bit ceil of the register 23 
will be incremented by one bit of the output of table 32, 
Thus, if the output of truth table 32 is 0110, the bits 

20 in address \ ;^ ^ r b u ^s ^^^^ ^^'^ changed but the bits in 
address ^ 5 6 9 io 13 u ^® incremented by 1. -/Iri the 

event that an address A- that has all I's is incremented, 
its value will reset to all O's with no overflow. 
Provided output combinations with an equal distribution 

25 of I's and O's are- used in Table 32, the bit sequence in 
half of the addresses A in the key will change and 
produce a new key in the active register 23. 
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The generation of a new FEK bit then proceeds 
using the new key in active register 23, and is XOR'd 
with the next bit of data. The entire packet is 
encrypted with successive FEK bits in this way, starting 
5 at the second bit of the destination address and 

proceeding until the last bit of the CRC, which, is the 
last bit of the packet. The first bit of the destination 
address is not encrypted. It is used to indicate whether 
the B path ("1") or the L path ("0") was used to generate 

10 the FEK bits. 

Finally, the encrypted packet has appended to 

it a CRC field so that the encrypted packet will seem 

normal to any computers, such as 14g of Figure 1, that 

does not connect to the network 12 through a security 

15 device 16. This extra CRC has no other purpose. It is 

ignored by the security devices 16 that receive the frame 

containing the packet. 

The encrypted frame is composed of a preamble 
followed by the encrypted packet and the appended CRC. 
20 This encrypted frame is transmitted on the channel 12 in 
the normal way that unencrypted frames are tran^iUed. 

The same process is used to decrypt the data as 
it is received by a security device 16 in the same domain 
on the channel 12. If a meaningful decryption can be 
25 made, the key in register 22 will correspond to the key 
first used to encrypt a bit of the packet. The FEK bit 
initially generated by the key will therefore correspond 
to the FEK bit initially used to encrypt the data. By 
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XOR'ing the incoming encrypred data bir wirh the sasie FEK 
bit, the original data is obtained. Since the XOR 
function is reversible by a second encryption with the 
same key, the original bit stream results after the 
5 decryption provided the contents of the secret registers 
24,26 are the same in the decrypting device as they were 
in the encrypting device. 

An attempt to decrypt the data packet with a 
device 16 from another domain will not succeed as the bit 

10 sequences in the registers 24 and 26 will^differ. Thus, 
the same key will produce a different sequence of FEKs 
and will not correctly decrypt the data. This will be 
apparent from a comparison of the CRC included in the 
encrypted data and that obtained after decryption. 

15 After the encryption and decryption has been 

successfully completed for a packet, each 4-word span of 
the key stored in register 22 in each of the devices 16 
is incremented by the key sequence number stored in 
register 25. The newly generated key is then transferred 

20 to the active register 23 upon receipt of the next 
packet. ' 

Thus many packets may be encrypted from the 
same initial key with the key changing bit by'-fait within 
a packet and also changing on a packet-to-packet basis. 

25 

OPERATION WITHIN A NETWORK 
The destination address of a data packet will 
indicate whether the data is to be broadcast to each host 
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• ^w or to a sDecific host, i.e. 1°"- 

14 within a domain Oi. a . 

transfer, within the domain. 

vmere the data is to be broadcast, each host 14 
within the domain will receive the data decrypted by its 
5 associated device 16 and, upon completion of the paOcet, 
will update the key in register 22. Devices 16 
associated with hosts outside the domain will also 
receive the data packet but an attempt to decrypt the 
data will result in an incorrect CHC because the secret 
10 in their broadcast path B is different. 

There is an important difference in the 
operation of the security device le when it is decrypting 
a packet using the L path rather than the B path. In 
this case, the decrypted destination address that xs 
,5 generated bit-by-bit is compared bitwise with the network 
address of the associated computer 14 to which the frame 
containing the decrypted packet is being sent. As this 
bitwise comparison is taking place, the first 47 bits of 
the destination address of the associated computer 
,0 replace the actual destination bits of the packet^and are 
forwarded to the computer in their place. ^ ! 

If the result of the bitwise comparison shows 
that the decrypted destination address is exactly that of 
the associated computer 14, the 48th and last bit of its 
25 own destination address is sent to the computer, and the 
decrypted packet is sent bit-by-bit to the computer up to 
but not including the CRC that was added during 
encryption • 
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If the result of the bitwise comparison shows 
that any bit of the decrypted destination address in the 
incoming packet differed from the corresponding bit in 
the network address of the computer, the 4 8th and last 
5 bit of the destination address that is sent to the 

computer is the complement of the 48th bit of the last 
bit of its network address, and a standard pattern of 
bits, one pattern bit for each incoming packet bit, is 
forwarded to the computer 14 instead of the decrypted 

10 packet. The standard pattern is followed by an 

appropriate and correct CRC at the point where the CRC 
appears in the packet before' encryption. The standard 
pattern is preferably chosen to make this CRC easier to 
compute. Once the transmission is complete, the key 

15 register 22 in all devices that have seen a complete 

packet with a correct CRC 16 are updated as previously 
described. In this way, the key in the register 2 2 
remains the same for each device 16 in a domain even 
though the data packet is only decrypted by one device in 

20 the domain. 

If for some reason the transmission ^ 
interrupted, no change is made to the key in register 22. 

As noted above, each encrypted packet includes 
a CRC of the data as transmitted. This permits hosts 

25 without a device 16, such as host 14g, to process the 
packet through its interface and also permits the 
distribution of unencrypted packets throughout the 
network as may be desirable but only among those 



computers not attached to the network through a security 
device 16. 

KEY di!=;trtbution 
5 To Utilize the above encryption process, it is 

necessary to generate an identical key in each device 16 
in the same domain 18. It is also preferable that the 
key in each domain is different. The encryption process 
described above is utilized in the periodic generation of 
10 a new key within a domain as shown in Figures 2 and 4. 

The key generation module 33 in each device 16 
is used to generate periodically a key distribution 
packet that is transmitted over the data channel 12 and 
processed by the devices 16 in the same domain to 
X5 generate a new key in a manner to be described below 
assuming that one of the devices 16 has control of the 
channel 12 in a collision-free manner. 

The key distribution packet must be compatible 
with normal data packets and therefore has a similar 
20 format. However, indicators within the packet are used 
to identify it to other devices 16 as a key distriftuision 
packet and ensure that it is processed by the module 33 

to generate the new key. ' 

The format of a data packet produced by the key 
25 generator module 33 is shown in Figure 4. Each packet 
has a minimum bit length (in this example, 512 bits) and 
is arranged in notional blocks of bits. The packet will 
of course be preceded by a preamble as is usual. 
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The first, two blocks of the packet, whether 
used for normal data transfer or key distriburion, are 
each 48 bits and are respectively the destination address 
block 35 and the source address block 36. When normal 
5 data is to be transmitted, each address block 35,36 will 
be a 48 bit code indicative of the destination and source 
computer respectively. The first bit of destination 
address block 3 5 indicates whether or not the packet is 
to be processed by the broadcast path B, indicated with a 

10 "1", or by the local path L, indicated with a "0". The 
second bit of the addresses 3 5,36 is used to indicate 
whether or not the frame identification is under local 
control (1) or is a worldwide unique code (0) . With a 
normal data packet, worldwide unique codes will be 

15 indicated and followed by a 4 6-bit host computer address. 

Where the data packet is directed to a specific 
address, the destination address block 3 5 would commence 
with 00 or 01 and is followed by a 46 bit address for the 
recipient host computer 14. However, if the data packet 

20 is to. be broadcast over the network, the destination 

address block 3 5 would be constituted by a 1 folIcJw^d by 
47 bits, typically all "I's". 

A source address block 3 6 follows the 
destination address block 3 5 and is used to indicate the 

25 origin of the data packet. The source address will 

always begin with an "00" or "01" and will be followed by 
a 46 bit identifier code uniquely identifying the source 
computer . 
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TO distribute a new key in a security domain, a 
key distribution packet (KDP) is generated by module 33. 
Module 3 3 has special address contents for both 
destination address and source address stored in an 
5 address register 51 in the module 33 and is recognized as 
a key distribution packet by these contents. The 
destination address of a KDP could be 48 "1" bits, 
indicating a broadcast packet but it is preferred to use 
a special destination address peculiar to a KDP. The 
,0 source address 36 of a KDP is a specific bit pattern, 
beginning with "00" and followed by a 46-bit identifier 
code reserved for this purpose. The 48 bits of the 
destination address and 46 bits for the source address 
can be chosen during device manufacture. They will, 
15 however, be worldwide unique to a particular network; 

that is, all the devices 16 attached to the network and 
intended to change their keys synchronously will be 
identified with the same code. Typically, this will be 
limited to single domain. 
20 The worldwide uniqueness of the identifier 

codes is assured because these bit combinations aSreT 
regulated by an international organization such as the 
IEEE, in the present case, the identifier code used as 
the destination and source address will be indicative of 
25 a message originating at a security device 16 and 

therefore is a prime indication that the packet is a key 
distribution packet. Therefore, by using the 48-bit 
destination and source addresses, it is possible to 
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distinguish a key distribution packet from a normal data 
packet . 

The packet length is indicated by a 16-bit: 
packet length block 37 which, with normal data packets, 
5 precedes the information to be transmitted. When the 

packet is a key distribution packet, however, the packet 
length block 37 is followed by a 32-bit key sequence 
number block 38 derived from the key sequence register 25 
in encryption module 20 of the device 16 generating the 

10 KDP. The data in key sequence number register 25 is 

incremented by 1 for insertion in block 38 so that as the 
keys are updated in a domain 18, the key sequence number 
used in that domain changes in a controlled manner. Each 
host computer in the same domain should be operating with 

15 the same key sequence number. 

The key sequence number block 38 is followed by 
a 96 bit data block 40 and a 12e-bit data block 42 
separated by a fixed length padding block 45. The data 
in blocks 40,42,45 is generated pseudo-randomly by a 

20 random number generator 53 in the key generator module 3 3 
in the security device 16 that originated the KDR?. ^ 

The next data block 43 is 128 bits long, also 
obtained from the random number generator 53 j^n the 
security device 16 that originated the KDP. It is 

25 followed by a fixed length padding block 4 5 and a data 

field called the CRC frame integrity block 44 derived by 
the transmitting security device 16 during transmission 
of the KDP. 
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AS the key distribution packet is transmitted, 
the CRC frame integrity block 44 has to be generated and 
this is done by utilizing the encryption module 20 in the 
generating security device. As shown in Figure 4, the 
5 Key sequence number 38 and the data block 40, totalling 
128 bits, are loaded into the key register 23. The 
normal FEK encryption mechanism 20 is used, with the B 
path selected fay switch 27, to encrypt the incoming 128 
bit data block 42 and to place the 128 bit result into a 
10 holding register 50 in module 33. The contents of 

register 50 are then transferred to register 23, and this 
new key is used to encrypt data block 43. A cyclic 
redundancy check (CRC) of these encrypted bits is 
performed as the encryption proceeds and is used as the 
15 transmitted frame integrity block 44. 

Data blocks 40, 42, 43 and 44 are separated by 
the fixed length fields 45 to allow time for processing 
in the originating and receiving security devices 16. 

The packet is completed by a padding block 4 6 
20 to satisfy the minimum length requirements of the 

protocol and a 32 bit CRC block 48 that is gener^t^ from 
the bits of the packet as transmitted to check for error- 
free transmission. 



25 



VPV g-RNERATION 
Tlie key generator module 3 3 is activated to 
transmit a key distribution packet under the control of a 
timer 62 and attempts to gain access to the line 12. 
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Assuming that access is obtained, the key distribution 
packet is generated and transmirted over link 12 to be 
received at other security devices 16 on the channel 12. 
It is identified by each of the security devices 16 as a 
5 KDP because of the biz combination of the broadcast 

destination address 35 and the source address block 36. 
The key sequence number in block 3 8 is compared with that 
in register 25 in the receiving security device 16 and if 
the new key sequence number is greater than the existing 

10 one, the production of a new key proceeds. If the key 

sequence number is not greater than the existing one, the 
KDP will be ignored. Throughout the generation of the 
key, the device 16 will maintain a data stream to the 
associated host 14 to prevent generation of new packets 

15 from the computer interfering with the key generation. 

A similar process is followed to that used to 
generate the CRC frame integrity block 44 to generate a 
new key. At each of the receiving devices 16 having the 
correct correlation of key sequence numbers, the new key 

20 sequence number block 38 and data block 4 0 are loaded 
into the register 2 3 and used as the active key tc!^, 
encrypt the data block 42. The resulting encrypted, data 
is stored in the register 50 as the potential new key 
which should correspond with the contents of the register 

25 50 in the generating device 16. To check for the 
integrity of the transmission and encryption, the 
contents of register 50 are transferred to the active 
register 2 3 and used as the key to encrypt the data block 
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43. AS the encryption proceeds, a CRC is performed on 
the 128 bits of the block 43 and the result compared with 
the frame integrity block 44. If these are identical, 
the transmitting and receiving security devices must have 
5 the same B path memories 24,26 contents, and assuming 

physical security is adequate, the receiving device 16 is 
in the same domain as the generating device 16 and the 
contents of register 50 are transferred to the register 
22. The key sequence number in register 25 is also 
10 replaced by the new key sequence number and each device 
in the same domain is operating with a new but identical 
key. Thereafter, normal data may be transferred within 

the domain. 

It will be noted that although the key 

15 generator data packet is broadcast throughout the network 
10, a secure key is generated in each security domain by 
virtue of the unique secure bit sequences used to 
generate the FEK bit. If a packet appears to be a KDP 
but its key sequence number is not greater than the 

20 sequence number of the key it is using, or if a packet 
appears to be a KDP but the integrity block 44 djtea> not 
satisfy the comparison described, or if the packet 
appears to be a KDP but the overall packet CRC does not 
work out as it should, then some flaw has been detected 

25 in the packet. In all cases, invalid key sequence 

number, invalid integrity block 44, or invalid packet 
CRC, the packet is ignored and no change is made to the 
key register 22 or key sequence number 25. 
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PERIODIC GENERATION OF KEY DISTRIBUTION PACKET 
AND INITIALIZATION 

The above process assumes that a key 

distribution packet is deceived periodically and it is a 

5 particular benefit of the present, system that each of the 

security devices 16 has the capability of generating a 

key distribution packet. It is, however, possible to 

provide a central control to generare such packets if 

preferred. 

10 Because each of the devices 16 has the 

capability of generating a new key, the timer 62 in key 
generation module has a variable countdown period to 
ensure that one device 16 does not monopolize generation 
of the key distribution packets. After a particular 

15 device has gained access to the channel 12 and 

transmitted a new key, timer 62 of that device 16 is 
reset to an initial period (60-jo) seconds where 6 is an 
arbitrary time, e.g. 100 ms, and j is an integer that 
initially is zero. 

20 Each time a new key distribution packet is 

received by the device 16 and processed by the key 
generation module, a signal is also applied to the 'timer 
62 to increase the value of j by 1, i.e. decrease the 
interval set by the timer 62. Thus, as other: devices 16 

25 generate key distribution packets, the interval set by 
timer 62 will progressively decrease and ensure that 
eventually its associated device 16 will gain access. Of 
course, once access is obtained, a reset signal resets 
timer 62 to the initial maximum countdown period. If a 
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collision is detected during transmission of the key 
generation packet, the timer 62 is reset to its previous 
value. This preserves the status of the device 16 in the 
key generation process and also avoids progressively 
5 decreasing intervals between unsuccessful attempts. This 
would tend to cram a network being utilized near its 

maximum capacity. 

Because hosts 14 can be connected or 
disconnected from the network at any time, it has to be 
10 recognized that after connection or reconnection , an 
initialization period is required before the device 16 
will operate with the same key as other devices in the 
same domain. To mitigate the possibility of a newly- ' 
connected host 14 from gaining access and generating a 
15 key, the timer 62 is conditioned to calculate an 

increasing time-out interval. At initialization, timer 
62 sets the timeout counter at (60^jC) seconds where C is 
a function of the serial number of the unit 16 in which 
the module 33 is located. This will always be greater 
20 than the interval set by the counter 62 of a previously 
connected host 14 and therefore a new key will b^, ^ 
received before the timer of the new device counts down. 
When receiving the new key distribution packet, the 
discrepancy between key serial numbers is ignored and, 
25 provided the CRC frame integrity blocks 44 are the same, 
indicating a common domain, the transmitted key serial 
number is adopted and entered in the register 25. 
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GENERAL OPERATION 
In operation, therefore, a host: 14 that wishes 
to transmit data over the channel 12 will monitor network 
usage through the interfaces 15. 
5 According to its normal protocol, it will 

choose a time to transmit the frame containing the packet 
so as to minimize interference with other such frames. 
As the frame is received in the security device 16, it is 
encrypted by the encryption unit 2 0 and transmitted on 

10 the network 12 . The first bit of the destination address 
is not encrypted so that when it is received, it can be 
identified as a broadcast packet, encrypted through the B 
path of the unit 2 0 or a local packet, encrypted through 
the L path of the FEK unit. 

15 The received data is decrypted by the 

decryption unit 20 and its destination address 3 5 
examined to determine if it is intended for the 
associated host 14. If it is, the decrypted data passes 
through the communications interface 15 to the host 14. 

20 If the destination address indicates that the message is 
not intended for the associated host 14, the pa]^^ is 
ignored but the interface unit 15 maintains a data stream 
to the host to prevent the host requesting access to the 
link 12 and initiating a collision. 

25 Data received by devices 16 or unprotected 

hosts 14 outside the security domain of the originating 
host 14 will not be able to decrypt the data as the keys 
and the contents of registers 24,26 will differ. 
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When one of the timers 62 finishes its 
countdown, a signal requesting access to the channel 12 
is sent to the interface 15. If the data channel 12 is 
busy, the access is refused and the timer is reset to its 
5 previous value. If the data channel 12 is available, the 
generation of a key generation packet is initiated and 
transmitted over the channel 12. Devices 16 in the same 
domain will recognise it as a key generation packet and 
proceed to generate a new key as detailed above. Once 
10 transmission has been completed, the timer 62 is reset to 
the maximum period and the timers 62 in each of the other 
devices are rest to a reduced interval. 

It will be seen, therefore, that the network 10 
is self-sustaining in that new keys may be periodically 
15 generated by any of the security devices 16. The 

generation of different keys in each security domain 
enables a key generator packet to be broadcast throughout 
the network from any of the devices without compromising 
the security. The integrity of the domain is maintained 
20 by ensuring that the devices 16 are tamperproof and do 
not require modification of the hosts 14 or dat^« ehannel 
12. The encryption algorithm ensures progressively 
varying encryption keys that are periodically changed and 
therefore, in practical terms, entirely secure. 

25 

aT.TTT-RNAT TVT: CONFIG URATIONS 

AS described above, the secrets in registers 24 
and 26 in broadcast path and local path of domain are 
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different to those of other domains. This means chat the 
keys are generated on a domain-by-domain basis. In 
certain instances^ it may be desirable to have a common 
key throughout a network bur still retain separate 
5 domains. The present arrangement has the flexibility to 
accomodate this by providing common registers in the 
broadcast path of all domains but retaining differences 
between domains in the local path. The key distribution 
packet will then be recognized and processable by all 
10 devices 16 in the network to generate a common key 

provided its CRC block 44 is derived from an encryption 
in the B path. Even though a common key is used, secure 
transmission can still occur within the domain by using 
the local path. 

15 

SECOND EMBODIMENT 
A further embodiment of the security device 16 
is shown in Figures 6 and 7, with Figure 6 schematically 
illustrating its operation during encryption and 
20 decryption, and Figure 7 illustrating the generation of 
and distribution of new keys. Components havint^' a^ 
similar function to those described in the embodiments of 
Figures 1 through 5 will be identified with Like 
reference numerals with a suffix "a" added for clarity. 



25 



FEK BIT GENERATION 
Referring therefore to Figure 6, an active 
register 23a is formed from three linear recurring 
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sequence registers (LRS) each of which contains a portion 
of the key. The LRS register is a conanercially available 
register having the facility for internal feedback 
connections between cells of the register and may be 
5 arranged to ensure that no repetition of the sequence 
within the register occurs within 2^^ bits. Such 
registers are readily available. 

A first register 70 is identified as the key 
distribution frame (KDF) register and contains the key 
10 distribution frame sequence number that is transmitted 
with a key distribution frame as will be described in 
further detail below. The second register 72 is 
identified as a successful frame count register (SFC) and 
its contents are initially derived from the transmission 
15 of a key distribution frame. The contents of the SFC 
register 72 are incremented after a frame has been 
transmitted and for the purposes of the protocol, it is 
assumed that the transmission of 512 bits indicates that 
a frame has been transmitted successfully. The count in 
20 the SFT register 72 is incremented after each frame. 

The third register 74 is identified a^^ ^he FEK 
bit count register (FBC) and its contents are also 
generated during distribution of a key distribution 
frame. The contents of the FBC register 74 are 
25 incremented by 1 after each generation of a FEK bit so 
that during transmission of a frame, the contents of the 
FBC register 74 are continuously changing. A backup 
register 76 stores, the initial value of the FBC register 
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74 and reloads it after the transmission of each frame. 
This is necessary as the contents of the FBC register 
will be incremented even if the transmission of the frame 
is terminated due to a collision with another frame and 
5 so the contents of the register 7 4 in one security device 
would differ from that in other security devices in the 
same domain. Accordingly, by reloading the initial value 
of the FBC register at the start of each frame, all 
devices in the domain will have the same contents for the 

10 active register 23. 

The contents of the active register 23 are used 
to derive an address for each of the columns in a primary 
memory 25a. Each column 24a of memory 25a corresponds to 
a register 24 shown in Figure 3 and provides a single bit 

15 output for each address. The address for each column 24a 
is derived from a 96 bit address register 78 which 
receives the bits of each of the registers 70,72,74. The 
bits of the registers 70 through 74 are interleaved in 
the primary memory address 7S such that uwo bits from rhe 

20 register 70 are followed by two bits from the regisrer 7 2 
which in turn is followed by two bits from the r;i^g5ster 
74 ♦ Six such bits are then grouped to provide a six-bit 
address for a respective register 24a. Each of the 
columns 24a has a distribution of I's and 0*s which is 

25 approximately equal and each of the columns 24a has a 

combination- that is secret and preferably different from 
any other column in the primary memory 2 5a. As before, 
however, each of the columns 24a in one of the devices 16 
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Will have a corresponding register 24a in another of the 
devices 16 in the same domain and sharing the same 
secret. 

The output from the primary memory 25a is a 
5 16-bit address which is used to address a 1 x 2^* 

secondary memory 29a. The contents of the secondary 
memory 29a are also secret but identical with other 
devices in the same domain and have a substantially equal 
distribution of I's and O's within the memory. The 
XO output from the secondary memory 29a is a single FEK bit 
Which is exclusive OR'D at the XOR function 30a with 
incoming data. Encrypted data is then transmitted as the 

outgoing bit stream. 

Upon successful transmission of 512 bits, a 
15 frame detector 80 assumes that a successful frame 

transmission has occurred and, upon detection of the 
start of the next frame, will increment the contents of 
the SFC register 72 by 1. The detection of a start frame 
delimiting pattern in the preamble of a frame will also 
20 reload the contents of the FBC register 74 so that the 
initial address in the primary memory address 78:Wi?ll 
differ from frame to frame. The contents of the KDF 
sequence number register 70 remain constant until such 
time as a new key is distributed over the network. It 
25 Will be seen, however, that the FEK bit is generated from 
a dynamic key to generate the addresses for two memories, 
the contents of which are secret. 
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KEY G£N£R,\TIQN 
The generation of the key is again accomplished 
by any of the security devices 16 as will be described 
with reference to Figure 7. The format of the frame 
5 distribution packet is generally similar to that shown in 
Figure 4 and includes a preamble followed by a start 
frame delimiter sequence followed by a destination 
address 35a. The destination address 35a indicates that 
the frame is to be broadcast within the domain and is 

10 followed by a source address 36a. The source address 36a 
is derived from a register equivalent to the address 
register 51 in Figure 2 and identifies to the recipients 
of the frame that the frame is a key distribution packet* 
The recognition of the source address 3 6a causes the 

15 contents of the registers 70,72,74 to be remporarily 

stored in parallel registers 70a, 72a, 74a so that if the 
frame is not correctly received, the previous contents of 
the active register 23a can be restored. 

The recognition of the source address 36a also 

20 initializes the LRS 70,72,74 so that they contain a full 
count of I's. A pad 37a is provided between ti^ .^ource 
address and the KDF sequence number 3 8a to allow for the 
initialization of the registers. The KDF sequence number 
is the contents of the KDF register 7 0 incremented by 1 

25 and is initially compared with the existing contents of 
the register 70 to ensure that it is a valid key sequence 
number. Assuming that it is, the new key distribution 
sequence number 38a is loaded into the KDF register 70. 
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The KDF sequence number 38a is a 64-bit sequence which is 
loaded into the register to initialize a new sequence of 
bits in the register. This sequence will be identical 
for each device 16 in the same domain. The contents of 
5 the registers 72 and 74 are still all I's. 

A pad is provided after the KDF and is then 
followed by a data field 40a. The data field 40a is a 
random sequence of 64 bits generated by the random number 
generator 53 in Figure 2. This sequence of bits is fed 
10 through the XOR 30a and encrypted by a sequence of FEK 
bits produced using the contents of the registers 
70,72,74 to generate the addresses for memories 25a and 

29a. 

The first 32 bits of encrypted data are fed 
15 into the SFC register 72 to generate a new SFC. At the 
same time, the generation of a FEK bit from the secondary 
.nemory 82 also increments the FBC register 74 so that its 
contents are changing as the first 3 2 bits are fed 
through the XOR gate 30a. 
20 The next 32 bits are also encrypted and are 

exclusive OR'D with the FEK bit count to incremettt^^the 

FBC register 74. 

After the random data 40a has been .processed, 
the frame distribution packet includes a pad 45a followed 
25 by a data field 42a made up of 512 bits generated by the 
random number generator 53. The purpose of the second 
data field 42a is to check the integrity of the frame 
distribution packet by means of the integrity CRC 44a 
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appended to the packet. This check is done, and indeed 
the ICRC 44a is generated using an ICRC generator 84 
which is a 3 2-bit LRS register similar to that used for 
the registers 70,72,74. Each of the bits of the random 
5 field 42a is encrypted with the FEK bit by the XOR gate 
30a and fed to the ICRC generator 84. This is initially 
set at a full count - that is, all I's - and is 
incremented by the value of the encrypted bit. At the 
end of the data field 42a, the contents of the ICRC 

10 generator 84 should match those of the ICRC field 44a. 
The contents are compared, and if the patterns are 
identical, it is assumed that the frame distribution 
packet has been transmitted satisfactorily. The value of 
the FBC register 74 is then stored in the FBC register 76 

15 and the contents of the registers 70,72,74 operate as the 
new key. 

If for some reason the ICRCs do not match, the 
values in the registers 70,72,74 are deleted and the 
previous values temporarily stored in registers 
20 70a, 72a, 74a are replaced until a new frame distribution 
packet is recognized. ./ ^) 

It will of course be understood that the 
generation of a frame distribution packet is -essentially 
the same with the destination data 35a, source data 36a, 
25 key sequence number 3 8a and the random data provided by 
the frame distribution module 33. Again, therefore, the 
encryption module 20a is utilized to generate a new key 
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both for transmission and for reception in each register 

in the same domain- 

If the frame distribution packet is received in 
another domain, the primary memory and secondary memory 
5 25a, 29a will have different secrets and therefore will 
not generate a new key in which the ICRCs are matched. 
This is because the ICRC is generated using the 
encryption keys that are peculiar to a particular domain. 
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We claim; 

1. A data cominunication system comprising a 
plurality of hosts interconnected by a communications 

5 channel to allow data transfer therebetween, at least 
some of the hosts having a cryptographic security device 
associated therewith to organize said hosts into a comnion 
security domain, said device having an encryption 
function operable to encrypt data transmitted through the 

10 channel to other hosts in said domain and decrypt data 
received through the channel from other hosts in the 
domain, a packet generating function to generate and 
distribute on said channel a key distribution packet, and 
a key generation function to receive said key 

15 distribution packet and generate therefrom an encryption 
key for said encryption function that is common to eacfa 
host in said domain. 

2. A data communication system according to clai^n 
20 1 wherein said key distribution packet includes an 

identifier to distinguish said key distribution* packet 
from other data packets and each of said devices includes 
means responsive to said identifier to direct said key 
generator data packet to said key generating function. 

25 

3. A' data communication system according to claim 
1 wherein said packet generating function in each device 
operates periodically to request access to said channel - 
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4. A data communication system according to claxm 

3 wherein said packet generating function includes a 
timer to determine the interval between requests for 
access to said channel. 

5 

5. A data communication system according to claim 

4 wherein said timer is adjustable and intervals between 
requests progressively decrease until access to said 
channel is obtained. 

6. A data communication system according to claim 

5 wherein said interval is decreased upon receipt of a 
key distribution packet from another device and 
generation of a new key therefrom. 

7. A data communication system according to claim 
1 wherein said key distribution packet includes first and 
second portions, said first portion being utilized by 
said key generation function as a key in said encryption 
function to encrypt said second portion and thereby 
provide a new key for said encryption unit. 



A data communication system according to claim 
7 wherein said key distribution packet includes a check 
25 function obtained by encryption of a portion of said key 
distribution packet by said new key. 
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9. A data communication system according to claim 

8 wherein said key generator packet includes a third 
portion to be encrypted by said new key to generate said 
check function. 

5 

10. A data communication system according to claim 

9 wherein said first, second and third portions are 
generated by a pseudo random number generator within said 
packet generating function. 

10 

11. A data communication system according to claim 
1 wherein each of said encryption functions has a key 
serial number associated therewith and indicative of the 
key utilized by said encryption function, said key 

15 distribution packer including an indicator derived from 

said key serial number and providing a means to associare 
devices utilizing a common key. 

12. A data communication system according to claim 
20 11 wherein said indicator is included in one of said 

portions . 

13. A data communication system according to claim 
6 wherein said timer is reset zo a prederermined maximum 

25 upon a device associated therewith rransmitting a key 
distribution packet to other hosts in said domain. 
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A data communication system according to claim 
13 wherein said timer is set to a period exceeding said 
maximum upon connection_ of said device to said system. 

5 15. A method of distributing an encryption key in a 

data communication network having a plurality of host 
interconnected by a data co^ication channel and each 
host having an encryption function associated therewith 
comprising the steps of transmitting on said network a 

XO key distribution packet, utilizing a first portion of 
said packet as a key in said encryption function, 
encrypting a second portion of said packet by said 
encryption function with said first portion utilized as 
said key and using the encrypted data as a new key. 



16. A method according to claim 15 including the 

step of comparing a check function derived from said new 
key with a check function contained in said key 
distribution packet to confirm an identity of encryption 
20 function between a device generating said key ^ 
distribution packet and a device receiving said"k^y 
distribution packet. 

17. A method according to claim 16 including the 

25 step of utilizing said first and second portions of said 
key distribution packet as a key and data respectively in 
said generating device to provide a new key, utilizing a 
third portion of said packet as data to be encrypted by 
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said new key, deriving froin the encrypted data a check 
function and including said check function in said key 
distribution packer for comparison with a check function 
similarly derived at said receiving device. 

5 

18. A method of encrypting data for transmission on 

a communication channel comprising the steps of 
establishing a key having a plurality of bits, grouping 
selected ones of said bits to provide an address for 

10 accessing a register containing data, outputting the data 
contained at that address, utilizing the data in a 
predetermined manner to provide a bit to encrypt a 
corresponding bit of the data to be encrypted, and 
modifying the key in a manner derived from the generation 

15 of the encryption bit to provide a different bit sequence 
at said key to generate a different address for said 
register when generating the next encryption bit. 

20* A method according to claim 18 wherein the 

20 output from said register is utilized as at least one bit 
of an address for a further register, the output frotti the 
further register being utilized to generate said 
encryption bit. ' 

25 21. A method according to claim 18 wherein a 

plurality of discrete groups are formed from said key and 
a register is associated with each group. 
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A method according to claim 21 wherein outputs 
of said registers associated with said groups are 
organized to provide an_ address for each of a set of 
further registers, each which provides an output fro. 
5 which the encryption bit is utilized. 

23 A ^lethod according to claim 22 wherein said set 

Of further registers includes a pair of registers each of 
which provides a single bit output. 

24. A method according to claim 23 wherein said 
bits are combined to produce said encryption bit. 

25. A method according to claim 24 wherein said 
15 bits are combined by an exclusive OR function. 

26. A method according to claim 22 wherein said 
outputs are utilized to determine the modification of 



20 



said key. 



27. 



A method according to claim 22 wherein/'the 



outputs determine which of said bits of said key are to 
be changed. 
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